HTTPoxy Patch and Mitigation Links

HTTPoxy Status

HTTPoxy is a CGI bug that relates to how webservers and applications deal with certain environment variables. It’s the latest and greates BWAIN (Bug with an Interesting Name). There are two independent way to protect yourself from this bug and the manner that is best for you or your organization will depend on how you’ve implemented your systems. At it’s core is a difference between what the CGI Spec (RFC 3875) says should happen and what is expected by application developers.

What’s Affected

There are 6 basic main categories of products that are currently affected by HTTPoxy:

Mitigation

The fastest way to “fix” your infrastructure is to mitigate the problem. The fastest way to “fix” this (generally) is to apply one of the mitigations available. The HTTPoxy site has a list of mitigations that are available:

Patching

Additionally there’s a number of patches being worked on that should remove the potential for this vulnerability. A hat tip should go to the libwww-perl, curl and Ruby projects for patching and noticing this conflict before it became an issue. Because of the number of things that could be patched I’m limiting the amount of systems I’m checking to just the main 5 (Last Update 1469118992):